{{- if and (eq .Values.controlPlane.environment "kubernetes") (not .Values.noHelmHooks) }}
# HELM first deletes RBAC of Kuma, then it tries to delete Secrets. We've got validating webhook on Secrets.
# But even that the policy of this webhook is Ignore, it fails because Kuma does not have permission to access Secrets anymore.
# Therefore we first need to delete webhook so we can delete the rest of the deployment
{{- $serviceAccountName := printf "%s-pre-delete-job" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $serviceAccountName }}
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": "pre-delete"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
  {{- range . }}
  - name: {{ . | quote }}
  {{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kuma.name" . }}-pre-delete-job
  annotations:
    "helm.sh/hook": "pre-delete"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    resourceNames:
      - {{ include "kuma.name" . }}-validating-webhook-configuration
    verbs:
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kuma.name" . }}-pre-delete-job
  annotations:
    "helm.sh/hook": "pre-delete"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kuma.name" . }}-pre-delete-job
subjects:
  - kind: ServiceAccount
    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "kuma.name" . }}-delete-webhook
  namespace: {{ .Release.Namespace }}
  labels:
  {{ include "kuma.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "pre-delete"
    {{/* Ensure the job is created after the RBAC resources */}}
    "helm.sh/hook-weight": "5"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
spec:
  template:
    metadata:
      name: {{ template "kuma.name" . }}-delete-webhook
      labels:
    {{ include "kuma.labels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      {{- with .Values.hooks.nodeSelector }}
      nodeSelector:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.hooks.tolerations }}
      tolerations:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      restartPolicy: OnFailure
      securityContext:
      {{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
      containers:
        - name: pre-delete-job
          image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
          command:
            - 'kubectl'
            - 'delete'
            - 'ValidatingWebhookConfiguration'
            - {{ include "kuma.name" . }}-validating-webhook-configuration
          securityContext:
          {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
          resources:
             requests:
               cpu: "100m"
               memory: "256Mi"
             limits:
               cpu: "100m"
               memory: "256Mi"
{{- end }}
